Predicate Abstraction of Java Programs with Collections

Predicate Abstraction of
Java Programs with Collections
Pavel Parízek, Ondřej Lhoták
Predicate abstraction
void main() {
int i = 0;
int x = 1;
void main() {
bool P_ilt0 = false;
bool P_xle0 = false;
while (*) {
// x += i;
if (P_xle0 && P_ilt0)
P_xle0 = true;
else if (!P_xle0 && !P_ilt0)
P_xle0 = false;
else P_xle0 = *;
// i++;
P_ilt0 = P_ilt0 ? * : false;
}
if (P_xle0) ERROR;
while (i < 1) {
x += i;
i++;
}
assert(x > 0);
}
Predicates
P_xle0: x <= 0
P_ilt0: i < 0
}
[T. Ball et al. PLDI 2001] [T. Ball et al. EuroSys 2006]
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Our work: Java programs with collections
id2thread.put(1, new ThreadInfo(1,5));
id2thread.put(2, new ThreadInfo(2,18));
id2thread.put(3, new ThreadInfo(3,10));
active.add(2); active.add(3);
List<Integer> schedule = new LinkedList();
Iterator<Integer> actIt = active.iterator();
while (actIt.hasNext()) {
int actID = actIt.next();
ThreadInfo actTh = id2thread.get(actID);
for (int i = 0; i < schedule.size(); i++) {
int schID = schedule.get(i);
ThreadInfo schTh = id2thread.get(schID);
if (actTh.priority > schTh.priority) {
schedule.add(i, actID);
break;
}
}
}
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Running example: properties
id2thread.put(1, new ThreadInfo(1,5));
id2thread.put(2, new ThreadInfo(2,18));
id2thread.put(3, new ThreadInfo(3,10));
active.add(2); active.add(3);
List<Integer> schedule = new LinkedList();
Iterator<Integer> actIt = active.iterator();
while (actIt.hasNext()) {
int actID = actIt.next();
ThreadInfo actTh = id2thread.get(actID);
for (int i = 0; i < schedule.size(); i++) {
int schID = schedule.get(i);
ThreadInfo schTh = id2thread.get(schID);
if (actTh.priority > schTh.priority) {
schedule.add(i, actID);
break;
}
actTh != null
schTh != null
}
}
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Running example: properties
id2thread.put(1, new ThreadInfo(1,5));
id2thread.put(2, new ThreadInfo(2,18));
id2thread.put(3, new ThreadInfo(3,10));
active.add(2); active.add(3);
List<Integer> schedule = new LinkedList();
(∀id ∈ active
∃(id, th) ∈ id2thread)
→ actTh != null
Iterator<Integer> actIt = active.iterator();
while (actIt.hasNext()) {
int actID = actIt.next();
ThreadInfo actTh = id2thread.get(actID);
for (int i = 0; i < schedule.size(); i++) {
int schID = schedule.get(i);
ThreadInfo schTh = id2thread.get(schID);
if (actTh.priority > schTh.priority) {
schedule.add(i, actID);
break;
}
}
}
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Contribution
• Predicate language for modeling collection state
at the interface level
• Modeling Java collections with abstract maps
• Weakest preconditions that capture state changes
• Optimizations for constructing abstract programs
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Java collections
• Views over maps (keys, values)
for (String s : m.keySet()) print(s);
• Nested collections (multiple levels)
m.put(2, new LinkedList());
• Lists: bounds on index parameters
if (i < ll.size()) String s = ll.get(i);
• Aliasing between elements
s = “abc”; set1.add(s); set2.add(s);
• Field accesses on stored objects
Data d = m.get(“abc”); print(d.count);
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Abstract maps
Map
get
size
containsKey
containsValue
findKey
Iterator
hasMore
getCurrent
moveNext
put
putAhead
remove
clear
createIterator
keysView
valuesView
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
From Java collections to abstract maps
Java
Our approach
Map
directly modeled
Set<T>
map<T, boolean>
List<T>
map<integer, T>
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Predicate language
id2thread.put(1, new ThreadInfo(1,5));
id2thread.put(2, new ThreadInfo(2,18));
id2thread.put(3, new ThreadInfo(3,10));
mget(map, active, 2) = true
active.add(2); active.add(3);
List<Integer> schedule = new LinkedList();
Iterator<Integer> actIt = active.iterator();
while (actIt.hasNext()) {
int actID = actIt.next();
ThreadInfo actTh = id2thread.get(actID);
for (int i = 0; i < schedule.size(); i++) {
int schID = schedule.get(i);
ThreadInfo schTh = id2thread.get(schID);
if (actTh.priority > schTh.priority) {
schedule.add(i, actID);
break;
}
}
}
morder(mit, active, 3, actIt)
morder(mit, active, actIt, ⊥)
msize(msz, schedule) = 0
mget(map, id2thread, 1) = ⊥
fread(priority, mget(map, id2thread, 1)) = 5
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Weakest preconditions
Statement
Predicate
WP(s,p)
∃qm : qm = m ∧
e = mget(map,qm,k)
mget(mupdate(map,m,k,v),
mget(map,m’,k’) = v’
m’,k’) = v’
r = m.get(k) r = e
m.put(k,v)
it.next()
morder(mit,m’,it,⊥)
∃qk : morder(mit,m’,it,qk) ∧
morder(mit,m’,qk,⊥)
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Constructing abstract programs
id2thread.put(1, new ThreadInfo(1,5));
id2thread.put(2, new ThreadInfo(2,18));
id2thread.put(3, new ThreadInfo(3,10));
// mget(map,id2thread,1) != ⊥
boolean bv1 = false;
active.add(2); active.add(3);
List<Integer> schedule = new LinkedList();
Iterator<Integer> actIt = active.iterator();
while (actIt.hasNext()) {
int actID = actIt.next();
ThreadInfo actTh = id2thread.get(actID);
for (int i = 0; i < schedule.size(); i++) {
int schID = schedule.get(i);
ThreadInfo schTh = id2thread.get(schID);
if (actTh.priority > schTh.priority) {
schedule.add(i, actID);
break;
}
}
}
mget(map, id2thread, 1) != ⊥
mget(map, active, 2 = true
actTh = null
// many other predicates
// mget(map,active,2) = true
boolean bv2 = false;
// actTh = null
boolean bv3 = true;
...
// statement: active.add(2)
atomic { bv2 = true; ... }
while (...) {
// statement: actTh = id2thread.get(actID)
if (bv1 && ...) bv3 = false;
// property check
if (bv3) assert false : "actTh == null";
...
}
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Algorithm
foreach stmt ∈ method do
foreach up ∈ predicatesUpdatedBy(stmt) do
wp = weakestPrecondition(stmt, up);
inPreds = influencingPredicates(stmt, up, wp);
foreach cb ∈ cubes(inPreds) do
newPredValue <- callSMT(“⋀cb ⇒ wp”);
generateOutputCode(up, cb, newPredValue);
// code: if (cb) up = newPredValue
end for
end for
end for
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Optimizations
• Selecting relevant predicates
– Statement: id2thread.put(1, new ThreadInfo)
– Updated predicate: mget(map,id2thread,1) = ⊥
• Conflicting literals
– Example: mget(map,id2thread,1) = ⊥
mget(map,id2thread,1) = actTh
– Example: morder(mit,active,2,⊥)
morder(mit,active,3,⊥)
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
J2BP
Java
program
WALA
J2BP
ASM
Yices
abstract
program
JPF
• Web: http://plg.uwaterloo.ca/~pparizek/j2bp/
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Benchmarks
• Programs created by Dillig et al. [POPL 2011]
• Examples from our paper
• Size: 30 – 65 lines of Java code
• Properties: equal lists, valid content of nested sets, list
elements not aliased, correct size of nested lists, ...
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Results
Program
Predicates
J2BP time
SMT calls
List copy
43
146 s
2086
Map copy
35
79 s
1114
Reverse map
54
332 s
3854
Set of map keys
33
21 s
312
Map of lists
77
14769 s
111331
List of sets
54
958 s
10836
Multimap
26
180 s
2566
Map values
54
477 s
6224
List elements
52
643 s
8456
List of key-value pairs
78
302 s
3324
6
9s
198
Thread scheduling
30
52 s
782
Rendering image
65
2612 s
20272
104
6654 s
67390
74
978 s
11344
Relationship between keys and values
Processing results of a cycling race
Simple data-flow analysis
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Results
Program
Predicates
J2BP time
SMT calls
List copy
43
146 s
2086
Map copy
35
79 s
1114
Reverse map
54
332 s
3854
Set of map keys
33
21 s
312
Map of lists
77
14769 s
111331
List of sets
54
958 s
10836
Multimap
26
180 s
2566
Map values
54
477 s
6224
List elements
52
643 s
8456
List of key-value pairs
78
302 s
3324
6
9s
198
Thread scheduling
30
52 s
782
Rendering image
65
2612 s
20272
104
6654 s
67390
74
978 s
11344
Relationship between keys and values
Processing results of a cycling race
Simple data-flow analysis
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Summary
• Contribution
– Verification technique based on predicate abstraction for
Java programs with collections
• Key aspects: path-sensitive, inter-procedural
• Next steps
– Automated inference of necessary predicates
– Better performance and scalability
– Integration with CEGAR-based verification frameworks
• Long term future
– Using our predicate language in other program verification
and bug finding techniques
• symbolic execution, interpolation based model checking
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták
Conclusion
Goal: verifying properties of Java program with collections
Required information about collections’ state
Modeling collections at the interface level
J2BP: http://plg.uwaterloo.ca/~pparizek/j2bp/
Predicate Abstraction of Java Programs with Collections | Pavel Parízek, Ondřej Lhoták